Why HR-tech due diligence has changed
For years, an ATS, matching tool or screening module was evaluated like ordinary software. Does it fit the workflow? Is the interface usable? Can it connect to the HRIS? What does it cost per recruiter?
For AI in recruitment, that is too narrow. Once software ranks candidates, filters applications, matches profiles or evaluates worker behaviour, it touches access to work. The AI Act explicitly lists this domain in Annex III point 4: recruitment and selection on one side, worker management and employment relationships on the other[1].
That does not mean every tool is prohibited or unusable. It means that a generic vendor promise is not enough. An HR team, staffing firm or HR-tech vendor must be able to explain what the system does, which risks were assessed, which data were used, how bias is monitored and how people review the output.
The core due diligence question changes from "does this tool work?" to: "can we prove this tool is used responsibly?"
The five evidence areas to request
Good HR-AI due diligence does not stop at security and price. For recruitment and workforce AI, request evidence in at least five areas.
1. Scope and classification
The vendor should explain the intended purpose of the AI system. Is it used for targeted job ads, CV filtering, candidate matching, interview analysis, task allocation, performance monitoring or retention risk?
Then there should be a classification note. Does the system fall under Annex III point 4(a), point 4(b), another high-risk category, or is there a reasoned argument that it falls outside high-risk? If the vendor says the system is merely "assistive", ask for the reasoning. The Commission's draft guidelines make clear that classification depends on the system and its context[2].
Practical evidence:
- short system description;
- intended purpose;
- relevant Annex III route;
- reason why the tool is or is not high-risk;
- description of the human decision that follows the AI output.
2. Data and bias
A model that ranks candidates always learns something about people. Due diligence should therefore ask not only about model performance, but also about data quality and proxy risk.
Ask about training data, validation sets, representativeness, outlier handling, excluded variables and recurring bias checks. More importantly, ask for the outcomes. A polished fairness policy means little if the vendor cannot show measurable monitoring.
Practical evidence:
- data lineage;
- representativeness analysis;
- bias testing by relevant group or proxy;
- mitigation plan for unequal outcomes;
- monitoring frequency after go-live.
3. Transparency to candidates and workers
Candidates should not discover after the fact that AI played a role in the process. Transparency is more than one sentence in a privacy notice. The candidate should be able to understand where AI support is used, for what purpose, which data matter and who makes the final decision.
The same applies to worker management AI. If a system influences schedules, tasks, performance signals or promotion advice, the organisation needs to explain what happens and how someone can ask questions, request correction or challenge the process.
Practical evidence:
- candidate notice;
- worker information notice;
- privacy text;
- process for questions, correction and objection;
- logging of human review.
4. Human oversight
"Human in the loop" is not evidence. It is a label. You need to know what the human actually sees, which anomalies they can identify, when they must intervene and how an override is recorded.
A recruiter who only sees a green score and a red score does not have meaningful control. A hiring manager who does not know which factors carry weight cannot review AI output well. Human oversight must be translated into screens, instructions, escalation rules and training.
Practical evidence:
- oversight playbook;
- explanation of model output;
- override procedure;
- escalation matrix;
- examples of logged corrections.
5. AI literacy and instructions for use
Article 4 of the AI Act requires providers and deployers to ensure a sufficient level of AI literacy for people dealing with AI systems[3]. For HR-AI, that is not generic prompt training. Recruiters, hiring managers, HR business partners and compliance teams each need different knowledge.
A vendor should therefore provide more than a manual. It should show what users need to know to use the system responsibly. The deploying organisation then needs to translate that into role-based training and evidence.
Practical evidence:
- role matrix;
- instructions for use;
- training records;
- scenario assessments;
- refresher process when the model or workflow changes.
Ten questions for your next vendor call
Use these questions before signing an ATS, matching module or AI screening tool:
- Which parts of your product use AI or automated scoring?
- Does the tool fall under Annex III point 4(a), point 4(b), or outside high-risk? Why?
- Which data were used for training, validation and monitoring?
- Which variables were excluded because they may create bias or proxy discrimination?
- Which fairness metrics do you run periodically?
- What information does a candidate or worker see?
- What exactly does the recruiter see when reviewing an AI score?
- How is a human override logged?
- What training does a user need before using the tool?
- Which documents can you provide within five working days for legal, privacy, procurement and worker representation?
The answer does not have to be perfect. It must be concrete. A vendor that only says "AI Act compliant by design" or "our data are fair" is not yet ready for enterprise HR.
What employers often miss
The biggest mistake is treating vendor due diligence as a procurement-only task. For HR-AI, due diligence needs to be multidisciplinary.
HR knows the workflow. Legal and privacy see employment law, GDPR and information duties. Compliance owns the evidence trail. IT and security review integrations and logging. Worker representation looks at the impact on employees. None of these functions sees the full risk alone.
That is why a short evidence pack often works better than a long questionnaire. Start with the workflow, identify each AI touchpoint and request evidence for each touchpoint. This prevents teams from talking past each other.
From due diligence to evidence pack
A useful HR-AI evidence pack does not have to be perfect in phase one. It does need to show that you know:
- which AI system you use;
- which HR decision it influences;
- which Annex III route is relevant;
- which bias and data risks were assessed;
- which human oversight exists;
- which information goes to candidates or workers;
- which training and records exist.
That is the layer Embed AI focuses on in the HR-AI Risk & Evidence Sprint. For HR-tech vendors, the emphasis is customer-ready due diligence. For employers and staffing firms, the emphasis is responsible use and demonstrable control.
Need to identify the biggest gap first? Start with the AI Act Gap Intake or review the route for HR-tech vendors.
Final note
HR-AI will not disappear. The tools will become better, faster and more normal in daily recruitment work. That is exactly why due diligence matters more.
Organisations that build an evidence rhythm now will not need to reconstruct later why a system was bought in the first place. They will already have classification, data questions, oversight, transparency and training recorded. That is not legal theatre. It is professional HR risk management.
